configuring ExtremeGuest captive portal

1. On the EGuest server/database host,
   1. enable the EGuest daemon. When enabled, the EGuest server is up and running.
      

      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server

   2. apply a database-policy to enable the EGuest database.
      

      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default

   3. configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members‘ device or profile context).
      

      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt

2. On the NOC,
   1. create an AAA policy with the following configurations:
      • Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server.
        

        NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123

        

        NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123

      • Configure the proxy-mode as ‘through-controller‘. When configured, all requests to the server are proxied through the NOC.
        

        NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-controller

        

        NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-controller

        

        NOC(config-aaa-policy-EguestAAA)#show context
        aaa-policy EguestAAA
        accounting server 1 host EG-OnBServer secret 0 extreme123
        accounting server 1 proxy-mode through-controller
        authentication server 1 host EG-Server secret 0 extreme123
        authentication server 1 proxy-mode through-controller
        NOC(config-aaa-policy-EguestAAA)#

   2. Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.
      • Configure the following permit rules:
        

        NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net

        

        NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net

        

        NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com

        

        NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net

        

        NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com

        

        NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix

        

        NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com

   3. Create a captive-portal with the following configurations:
      • Specify the captive-portal server.
        

        NOC(config-captive-portal-EguestCP)#server host guest.extreme.com

      • Use the AAA policy created in Step 2 a.
        

        NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA

      • Enable social-media authentication. This setting is optional.
        

        NOC(config-captive-portal-EguestCP)#oauth

      • Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal.
        

        NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS

      • Configure the captive portal's webpage location as advanced.
        

        Note

        Webpage-location should be ‘advanced‘ if using pages created with EGuest splash templates.
        

        NOC(config-captive-portal-EguestCP)#webpage-location advanced

   4. Create a WLAN policy with the following configurations:
      • Enable MAC authentication.
        

        NOC(config-wlan-EguestWLAN)#authentication-type mac

      • Use the AAA policy created in Step 2 a.
        

        NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA

        

        Note

        When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration > external > follow-aaa option is configured on the WLAN. See below.
        

        NOC(config-wlan-EguestWLAN)#registration external follow-aaa

        

        Note

        This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.
      • Use the captive-portal created in Step 2 c.
        

        NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP

      • Enable captive-portal enforcement with fall-back.
        

        NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back

      • Configure the following guest registration parameters:
        

        NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440

        

        Note

        This is the RADIUS group assigned to registered users post authentication.
        

        NOC(config-wlan-EguestWLAN)#show context
        wlan EguestWLAN
        ssid _EXTREME-GUEST-NRF2017
        vlan 1
        bridging-mode local
        encryption-type none
        authentication-type mac
        no answer-broadcast-probes
        no client-client-communication
        wireless-client hold-time 300
        use aaa-policy EguestAAA
        use captive-portal EguestCP
        captive-portal-enforcement fall-back
        registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
        registration external follow-aaa
        mac-authentication cached-credentials
        NOC(config-wlan-EguestWLAN)#

   5. In the NOC‘s self context, configure the EGuest server.
      

      NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https

3. In the Access Point‘s device or profile context, use the captive-portal configured in Step 2 c.
   

   Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP

4. To view EGuest registration status and statistics, on the EGuest server, use the following commands:
   

   EG-Server-DB#show eguest registration statistics

   

   EG-Server-DB#show eguest registration status

5. To clear EGuest registration statistics, on the EGuest server, use the following command:
   

   EG-Server-DB#clear eguest registration statistics

   Following are the related commands:

   AAA Policy	Documents AAA policy configuration mode commands
   dns-whitelist	Documents DNS whitelist configuration mode commands
   captive-portal	Documents captive portal configuration mode commands
   wlan	Documents WLAN configuration mode commands
   eguest-server (VX9000 only)	Documents the eguest-server command. When used in the EGuest server‘s device/profile context, without the ‘host‘ option, it enables the EGuest daemon. When used on the NOC along with the ‘host‘ option, it points to the EGuest server.